All Practice Exams
100+ Free CSOM Practice Questions
Certified Security Operations Manager (CSOM) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
In the context of SOC documentation, what is the key difference between a 'playbook' and a 'runbook'?
A
B
C
D
to track
Same family resources
Explore More Security Blue Team Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: CSOM Exam
24h + 4h
Exam Duration
Security Blue Team
70%
Passing Score
Security Blue Team
30-40 hours
Course Completion Time
Security Blue Team
200+
Lessons and Labs
Security Blue Team
2+ years
Recommended Experience
Security Blue Team
4 domains
Exam Content Areas
Security Blue Team CSOM Syllabus
The CSOM certifies that candidates can plan, build, and mature a Security Operations Centre across people, process, and technology dimensions. The exam is hybrid: a 24-hour theory component (scenario-based written report with three tasks) and a 4-hour practical assessment with 20 questions in a browser-based lab — both requiring 70% to pass. Designed for professionals with 2+ years in security operations ready to move into SOC management roles.
Sample CSOM Practice Questions
Try these sample questions to test your CSOM exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which SOC operating model places all security analysts in a single centralized facility where they monitor the entire organization's security posture?
A.Centralized SOC
B.Distributed SOC
C.Virtual SOC
D.Hybrid SOC
Explanation: A Centralized SOC consolidates all analysts, tools, and data feeds into a single physical or logical location. This model simplifies governance and tool management but can create single points of failure. It contrasts with distributed and hybrid models that spread resources across locations.
2In the classic tiered SOC model, what is the primary responsibility of a Tier 1 analyst?
A.Triaging alerts and escalating confirmed incidents
B.Performing threat hunting and proactive detection
C.Managing SIEM tuning and detection rule creation
D.Conducting forensic investigations and malware analysis
Explanation: Tier 1 analysts are the first responders in the SOC. They monitor dashboards and alert queues, perform initial triage to distinguish true positives from false positives, and escalate confirmed or suspected incidents to Tier 2. They typically follow runbooks rather than conducting deep investigations.
3A SOC manager wants to measure how quickly the team detects a threat after it occurs. Which metric should they track?
A.Mean Time to Detect (MTTD)
B.Mean Time to Respond (MTTR)
C.Mean Time to Contain (MTTC)
D.Alert Volume Rate
Explanation: Mean Time to Detect (MTTD) measures the average elapsed time between the moment a threat event occurs and the moment the SOC identifies it. Reducing MTTD limits the attacker's dwell time inside the environment. It is one of the most critical SOC performance KPIs.
4When building a new SOC, which document formally defines the services the SOC will and will not provide to the organization?
A.Incident Response Plan
B.Service Level Agreement (SLA)
C.SOC Charter
D.Standard Operating Procedure (SOP)
Explanation: The SOC Charter is the foundational governance document that defines the SOC's mission, scope, services offered and excluded, authority, escalation paths, and stakeholder relationships. It is created before the SOC becomes operational and sets management expectations.
5Which threat modeling methodology uses the mnemonic STRIDE to categorize potential security threats?
A.STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege)
B.PASTA (Process for Attack Simulation and Threat Analysis)
C.DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability)
D.LINDDUN (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance)
Explanation: STRIDE was developed by Microsoft and categorizes threats into six types: Spoofing identity, Tampering with data, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. It is one of the most widely used frameworks for systematic threat identification during system design.
6A SOC manager receives executive pressure to increase alert-handling speed. Upon review, they find 60% of alerts are false positives generated by a poorly tuned SIEM rule. What is the MOST effective first action?
A.Hire additional Tier 1 analysts to process the extra alert volume
B.Disable the SIEM rule temporarily to reduce analyst fatigue
C.Tune the SIEM detection rule to reduce false positives while preserving true positive coverage
D.Escalate all alerts directly to Tier 2 to speed up triage
Explanation: Tuning the detection rule addresses the root cause: a 60% false positive rate indicates the rule's logic needs refinement. Effective tuning preserves detection fidelity while cutting noise, improving analyst efficiency without adding headcount or bypassing controls. This aligns with the SOC manager's responsibility for quality of detections.
7Which SOC maturity model level is characterized by the SOC having repeatable, documented processes but limited use of threat intelligence and proactive hunting?
A.Level 1 — Ad Hoc
B.Level 2 — Managed
C.Level 3 — Defined
D.Level 4 — Quantitatively Managed
Explanation: In common SOC maturity frameworks (such as those derived from CMMI), Level 3 (Defined) means processes are standardized, documented, and consistently applied organization-wide. However, advanced capabilities like systematic threat intelligence integration and proactive threat hunting are typically associated with Levels 4 and 5.
8In the context of SOC capacity planning, what does the concept of 'analyst utilization rate' measure?
A.The ratio of productive security work time to total available working hours
B.The percentage of analyst time spent on confirmed incidents vs. false positives
C.The number of alerts an analyst can process per hour
D.The percentage of SIEM capacity consumed by current data ingestion
Explanation: Analyst utilization rate measures how much of an analyst's available working time is spent on productive security tasks (alert triage, investigation, escalation) versus administrative work, meetings, or idle time. Maintaining sustainable utilization (typically 60–80%) prevents burnout and ensures capacity for surge events.
9Which framework is MOST commonly used to map adversary tactics, techniques, and sub-techniques to support SOC detection coverage assessments?
A.MITRE ATT&CK
B.NIST Cybersecurity Framework (CSF)
C.ISO/IEC 27001
D.OWASP Top 10
Explanation: MITRE ATT&CK is a globally accessible knowledge base of adversary behaviors organized into tactics (the 'why') and techniques (the 'how'). SOC managers use ATT&CK to assess which attack techniques their detection stack covers, identify gaps, and prioritize detection engineering efforts.
10A SOC manager wants to enable automated containment actions when an EDR alert fires on a known-malicious process hash. Which technology combination should they implement?
A.SOAR + EDR integration
B.SIEM + Log Aggregator
C.IDS + Firewall
D.UEBA + DLP
Explanation: SOAR (Security Orchestration, Automation, and Response) platforms connect with EDR tools via APIs to trigger automated playbook actions — such as isolating a host, killing a process, or blocking a hash — in response to alerts. This reduces mean time to contain by removing manual steps from repetitive response tasks.
About the CSOM Practice Questions
Verified exam format metadata for Certified Security Operations Manager (CSOM) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.